| < draft-ietf-kitten-sasl-oauth-05.txt | draft-ietf-kitten-sasl-oauth-06.txt > | |||
|---|---|---|---|---|
| KITTEN W. Mills | KITTEN W. Mills | |||
| Internet-Draft Yahoo! Inc. | Internet-Draft Yahoo! Inc. | |||
| Intended status: Standards Track T. Showalter | Intended status: Standards Track T. Showalter | |||
| Expires: February 24, 2013 | Expires: March 5, 2013 | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| August 23, 2012 | September 1, 2012 | |||
| A set of SASL and GSS-API Mechanisms for OAuth | A set of SASL and GSS-API Mechanisms for OAuth | |||
| draft-ietf-kitten-sasl-oauth-05 | draft-ietf-kitten-sasl-oauth-06 | |||
| Abstract | Abstract | |||
| OAuth enables a third-party application to obtain limited access to a | OAuth enables a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| This document defines how an application client uses credentials | This document defines how an application client uses credentials | |||
| obtained via OAuth over the Simple Authentication and Security Layer | obtained via OAuth over the Simple Authentication and Security Layer | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 24, 2013. | This Internet-Draft will expire on March 5, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8 | 3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 8 | |||
| 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | |||
| 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 | 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 | 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 | |||
| 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 | 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | |||
| 3.2.2. Server response to failed authentication. . . . . . . 11 | 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.2.3. Completing an error message sequence. . . . . . . . . 12 | 3.2.3. Server response to failed authentication. . . . . . . 11 | |||
| 3.2.4. Completing an error message sequence. . . . . . . . . 12 | ||||
| 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 | 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 | |||
| 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 | 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 | 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 15 | 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 16 | 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 | |||
| 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 17 | 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 18 | 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 | |||
| 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 18 | 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 21 | 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 22 | 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 23 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 23 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 | |||
| Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 25 | Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 26 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 26 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 27 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 1. Introduction | 1. Introduction | |||
| OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | |||
| limited access to a protected resource, either on behalf of a | limited access to a protected resource, either on behalf of a | |||
| resource owner by orchestrating an approval interaction, or by | resource owner by orchestrating an approval interaction, or by | |||
| allowing the third-party application to obtain access on its own | allowing the third-party application to obtain access on its own | |||
| behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | |||
| define the interaction between the client and the resource server | define the interaction between the client and the resource server | |||
| with the access to a protected resource using an Access Token. This | with the access to a protected resource using an Access Token. This | |||
| functionality is described in separate specifications, for example | functionality is described in separate specifications, for example | |||
| [I-D.ietf-oauth-v2-bearer], [I-D.ietf-oauth-v2-http-mac], and OAuth | Bearer tokens [I-D.ietf-oauth-v2-bearer], MAC tokens | |||
| 1.0a [RFC5849] where the focus is on an HTTP-based environment only. | [I-D.ietf-oauth-v2-http-mac], and OAuth 1.0a [RFC5849]. In each of | |||
| these are defined in an HTTP-based environment only. | ||||
| Figure 1 shows the abstract message flow as shown in Figure 1 of | Figure 1 shows the abstract message flow as shown in Figure 1 of | |||
| [I-D.ietf-oauth-v2]. | [I-D.ietf-oauth-v2]. | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | |--(A)- Authorization Request ->| Resource | | | |--(A)- Authorization Request ->| Resource | | |||
| | | | Owner | | | | | Owner | | |||
| | |<-(B)-- Authorization Grant ---| | | | |<-(B)-- Authorization Grant ---| | | |||
| | | +---------------+ | | | +---------------+ | |||
| | | | | | | |||
| skipping to change at page 8, line 5 ¶ | skipping to change at page 8, line 5 ¶ | |||
| The reader is assumed to be familiar with the terms used in the OAuth | The reader is assumed to be familiar with the terms used in the OAuth | |||
| 2.0 specification [I-D.ietf-oauth-v2]. | 2.0 specification [I-D.ietf-oauth-v2]. | |||
| In examples, "C:" and "S:" indicate lines sent by the client and | In examples, "C:" and "S:" indicate lines sent by the client and | |||
| server respectively. Line breaks have been inserted for readability. | server respectively. Line breaks have been inserted for readability. | |||
| Note that the IMAP SASL specification requires base64 encoding | Note that the IMAP SASL specification requires base64 encoding | |||
| message, not this memo. | message, not this memo. | |||
| 3. OAuth SASL Mechanism Specification | 3. OAuth SASL Mechanism Specifications | |||
| SASL is used as a generalized authentication method in a variety of | SASL is used as a generalized authentication method in a variety of | |||
| application layer protocols. This document defines the following | application layer protocols. This document defines the following | |||
| SASL mechanisms for usage with OAuth: | SASL mechanisms for usage with OAuth: | |||
| OAUTHBEARER Authorization using Bearer tokens. | OAUTHBEARER Authorization using Bearer tokens. | |||
| OAUTH10A Authorization using OAuth 1.0a tokens. | OAUTH10A Authorization using OAuth 1.0a tokens. | |||
| OAUTH10A-PLUS Adds channel binding [RFC5056] capability to | OAUTH10A-PLUS Adds channel binding [RFC5056] capability to | |||
| OAUTH10A for additional security guarantees. | OAUTH10A for additional security guarantees. | |||
| Any new OAuth token scheme MAY define a new SASL mechanism compatible | Any new OAuth token scheme MAY define a new SASL mechanism compatible | |||
| with the mechanisms defined here by simply registering the new | with the mechanisms defined here by simply registering the new | |||
| name(s) and citing this specification for the further definition. | name(s) and citing this specification for the further definition. | |||
| New channel binding enabled "-PLUS" mechanisms defined in this way | New channel binding enabled "-PLUS" mechanisms defined in this way | |||
| MUST include message integrity protection. | MUST include message integrity protection. A newly defined mechanism | |||
| would also need to register a new GS2 OID. | ||||
| These mechanisms are client initiated and lock-step, the server | These mechanisms are client initiated and lock-step, the server | |||
| always replying to a client message. In the case where the client | always replying to a client message. In the case where the client | |||
| has and correctly uses a valid token the flow is: | has and correctly uses a valid token the flow is: | |||
| o Client sends a valid and correct initial client response. | o Client sends a valid and correct initial client response. | |||
| o Server responds with a successful authentication. | o Server responds with a successful authentication. | |||
| In the case where authorization fails the server sends an error | In the case where authorization fails the server sends an error | |||
| skipping to change at page 9, line 27 ¶ | skipping to change at page 9, line 27 ¶ | |||
| kvpair = key "=" value kvsep | kvpair = key "=" value kvsep | |||
| client_resp = 0*kvpair kvsep | client_resp = 0*kvpair kvsep | |||
| ;; gs2-header = As defined in GSS-API | ;; gs2-header = As defined in GSS-API | |||
| initial_client_resp = gs2-header kvsep client_resp | initial_client_resp = gs2-header kvsep client_resp | |||
| The following key/value pairs are defined in the client response: | The following key/value pairs are defined in the client response: | |||
| auth (REQUIRED): The payload of the HTTP Authorization header for | auth (REQUIRED): The payload of the HTTP Authorization header for | |||
| an equivalent HTTP OAuth authroization. | an equivalent HTTP OAuth authroization. | |||
| user (REQUIRED): The authorization ID. The server MAY use this | ||||
| as a routing or database lookup hint. The server MUST NOT use | ||||
| this as authoritative, the user name MUST be asserted by the | ||||
| OAuth credential. | ||||
| host: Contains the host name to which the client connected. | host: Contains the host name to which the client connected. | |||
| port: Contains the port number represented as a decimal positive | port: Contains the port number represented as a decimal positive | |||
| integer string without leading zeros to which the client | integer string without leading zeros to which the client | |||
| connected. | connected. | |||
| qs: The HTTP query string. In non-channel binding mechanisms | qs: The HTTP query string. In non-channel binding mechanisms | |||
| this is reserved, the client SHOUD NOT send it, and has the | this is reserved, the client SHOUD NOT send it, and has the | |||
| default value of "". In "-PLUS" variants this carries a single | default value of "". In "-PLUS" variants this carries a single | |||
| key value pair "cbdata" for the channel binding data payload | key value pair "cbdata" for the channel binding data payload | |||
| skipping to change at page 10, line 31 ¶ | skipping to change at page 10, line 29 ¶ | |||
| post (RESERVED): HTTP post data, the default value is "". | post (RESERVED): HTTP post data, the default value is "". | |||
| 3.1.2. Use of the gs2-header | 3.1.2. Use of the gs2-header | |||
| The OAuth scheme related mechanisms are also GSS-API mechanisms, see | The OAuth scheme related mechanisms are also GSS-API mechanisms, see | |||
| Section 4 for further detail. The gs2-header is used as follows: | Section 4 for further detail. The gs2-header is used as follows: | |||
| o The "gs2-nonstd-flag" MUST NOT be present. | o The "gs2-nonstd-flag" MUST NOT be present. | |||
| o The "gs2-authzid" carries the authorization identity as specified | o The "gs2-authzid" carries the authorization identity as specified | |||
| in [RFC5801]. | in [RFC5801]. This MUST agree with the identity asserted in the | |||
| OAuth credential. | ||||
| In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" | In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" | |||
| because channel-binding [RFC5056] data is not expected. In the | because channel-binding [RFC5056] data is not expected. In the | |||
| OAUTH10A-PLUS mechanism (or other -PLUS variants based on this | OAUTH10A-PLUS mechanism (or other -PLUS variants based on this | |||
| specification) the "gs2-cb-flag" MUST be set appropriately by the | specification) the "gs2-cb-flag" MUST be set appropriately by the | |||
| client. | client. | |||
| 3.2. Server's Response | 3.2. Server's Response | |||
| The server validates the response per the specification for the | The server validates the response per the specification for the | |||
| skipping to change at page 11, line 19 ¶ | skipping to change at page 11, line 17 ¶ | |||
| the user ID to be used as the authorization identity (identity to act | the user ID to be used as the authorization identity (identity to act | |||
| as). The server MUST use the ID obtained from the credential as the | as). The server MUST use the ID obtained from the credential as the | |||
| user being authorized. | user being authorized. | |||
| 3.2.1. Mapping to SASL Identities | 3.2.1. Mapping to SASL Identities | |||
| Some OAuth mechanisms can provide both an authorization identity and | Some OAuth mechanisms can provide both an authorization identity and | |||
| an authentication identity. An example of this is OAuth 1.0a | an authentication identity. An example of this is OAuth 1.0a | |||
| [RFC5849] where the consumer key (oauth_consumer_key) identifies the | [RFC5849] where the consumer key (oauth_consumer_key) identifies the | |||
| entity using the token which equates to the SASL authentication | entity using the token which equates to the SASL authentication | |||
| identity, and is authenticated using the shared secret. The | identity, and is authenticated using the shared secret. The server | |||
| authorization identity in the OAuth 1.0a case is carried in the token | MAY use a consumer key, a value derived from it, or other comparable | |||
| (per the requirement above), which SHOULD be validated independently. | identity in the OAuth authorization scheme to allow SASL an | |||
| The server MAY use a consumer key, a value derived from it, or other | authentication identity different from the authorization identity to | |||
| comparable identity in the OAuth authorization scheme as the SASL | be set. | |||
| authentication identity. If an appropriate authentication identity | ||||
| is not available the server MUST use the authorization identity as | ||||
| the authentication identity. | ||||
| 3.2.2. Server response to failed authentication. | 3.2.2. Canonicalization | |||
| The identity asserted by the OAuth authorization server is canonical | ||||
| for display. The server MAY provide a different canonical form based | ||||
| on local data. | ||||
| 3.2.3. Server response to failed authentication. | ||||
| For a failed authentication the server returns a JSON [RFC4627] | For a failed authentication the server returns a JSON [RFC4627] | |||
| formatted error result, and fails the authentication. The error | formatted error result, and fails the authentication. The error | |||
| result consists of the following values: | result consists of the following values: | |||
| status (REQUIRED): The authorization error code. Valid error | status (REQUIRED): The authorization error code. Valid error | |||
| codes are defined in the IANA [[need registry name]] registry | codes are defined in the IANA [[need registry name]] registry | |||
| specified in the OAuth 2 core specification. | specified in the OAuth 2 core specification. | |||
| scope (OPTIONAL): An OAuth scope which is valid to access the | scope (OPTIONAL): An OAuth scope which is valid to access the | |||
| skipping to change at page 12, line 12 ¶ | skipping to change at page 12, line 12 ¶ | |||
| information (which is beyond the scope of this memo). If not present | information (which is beyond the scope of this memo). If not present | |||
| then the client SHOULD presume an empty scope (unscoped token) is | then the client SHOULD presume an empty scope (unscoped token) is | |||
| needed. | needed. | |||
| If channel binding is in use and the channel binding fails the server | If channel binding is in use and the channel binding fails the server | |||
| responds with a status code set to 412 to indicate that the channel | responds with a status code set to 412 to indicate that the channel | |||
| binding precondition failed. If the authentication scheme in use | binding precondition failed. If the authentication scheme in use | |||
| does not include signing the server SHOULD revoke the presented | does not include signing the server SHOULD revoke the presented | |||
| credential and the client SHOULD discard that credential. | credential and the client SHOULD discard that credential. | |||
| 3.2.3. Completing an error message sequence. | 3.2.4. Completing an error message sequence. | |||
| If the client gets an error message from the server it MUST send an | Section 3.6 of [RFC4422] explicitly prohibits additional information | |||
| empty client response consisting of a single %x01 (control A) | in an unsuccessful authentication outcome. Therefor, the error | |||
| character, which is a correctly formatted client response with no | message is sent in a normal message. The client MUST then send an | |||
| key/value pairs. The server then completes the SASL negotiation with | additional client response consisting of a single %x01 (control A) | |||
| a failure result. | character to the server in order to allow the server to finish the | |||
| exchange. | ||||
| 3.3. Use of Signature Type Authorization | 3.3. Use of Signature Type Authorization | |||
| This mechanism supports authorization using signatures, which | Some OAuth mechanisms support authorization using signatures, which | |||
| requires that both client and server construct the string to be | requires that both client and server construct the string to be | |||
| signed. OAuth 2 is designed for authentication/authorization to | signed. OAuth 2 is designed for authentication/authorization to | |||
| access specific URIs. SASL is designed for user authentication, and | access specific URIs. SASL is designed for user authentication, and | |||
| has no facility for being more specific. In this mechanism we | has no facility for being more specific. In this mechanism we | |||
| require or define default values for the data elements from an HTTP | require or define default values for the data elements from an HTTP | |||
| request which allow the signature base string to be constructed | request which allow the signature base string to be constructed | |||
| properly. The default HTTP path is "/" and the default post body is | properly. The default HTTP path is "/" and the default post body is | |||
| empty. These atoms are defined as extension points so that no | empty. These atoms are defined as extension points so that no | |||
| changes are needed if there is a revision of SASL which supports more | changes are needed if there is a revision of SASL which supports more | |||
| specific resource authorization, e.g. IMAP access to a specific | specific resource authorization, e.g. IMAP access to a specific | |||
| folder or FTP access limited to a specific directory. | folder or FTP access limited to a specific directory. | |||
| Using the example in the OAuth 1.0a specification as a starting | Using the example in the OAuth 1.0a specification as a starting | |||
| point, on an IMAP server running on port 143 and given the OAuth 1.0a | point, on an IMAP server running on port 143 and given the OAuth 1.0a | |||
| style authorization request (with %x01 shown as ^A and line breaks | style authorization request (with %x01 shown as ^A and line breaks | |||
| added for readability) below: | added for readability) below: | |||
| n,a=user@example.com,^A | n,a=user@example.com^A | |||
| host=example.com^A | host=example.com^A | |||
| user=user@example.com^A | user=user@example.com^A | |||
| port=143^A | port=143^A | |||
| auth=OAuth realm="Example", | auth=OAuth realm="Example", | |||
| oauth_consumer_key="9djdj82h48djs9d2", | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | oauth_signature_method="HMAC-SHA1", | |||
| oauth_timestamp="137131201", | oauth_timestamp="137131201", | |||
| oauth_nonce="7d8f3e4a", | oauth_nonce="7d8f3e4a", | |||
| oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A | oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A | |||
| skipping to change at page 14, line 10 ¶ | skipping to change at page 14, line 10 ¶ | |||
| raw data from the channel binding type. For example, if the client | raw data from the channel binding type. For example, if the client | |||
| is using tls-unique for channel binding then the raw channel binding | is using tls-unique for channel binding then the raw channel binding | |||
| data is the TLS finished message as specified in section 3.1 of | data is the TLS finished message as specified in section 3.1 of | |||
| [RFC5929]. | [RFC5929]. | |||
| 4. GSS-API OAuth Mechanism Specification | 4. GSS-API OAuth Mechanism Specification | |||
| Note: The normative references in this section are informational for | Note: The normative references in this section are informational for | |||
| SASL implementers, but they are normative for GSS-API implementers. | SASL implementers, but they are normative for GSS-API implementers. | |||
| The SASL OAuth mechanism is also a GSS-API mechanism and the messages | A SASL OAuth mechanism is also a GSS-API mechanism and the messages | |||
| described in Section 3 are the same with the following changes to the | described in Section 3 are the same with the following changes to the | |||
| GS2 related elements: | GS2 related elements: | |||
| 1. the GS2 header on the client's first message and the following | 1. the GS2 header on the client's first message is excluded when | |||
| %x01 (control A) are excluded when used as a GSS-API mechanism. | used as a GSS-API mechanism. | |||
| 2. the initial context token header is prefixed to the client's | 2. the initial context token header is prefixed to the client's | |||
| first authentication message (context token), as described in | first authentication message (context token), as described in | |||
| Section 3.1 of RFC 2743, | Section 3.1 of RFC 2743, | |||
| The GSS-API mechanism OID for OAuth is [[TBD: IANA]]. | The GSS-API mechanism OIDs are: | |||
| OAuth security contexts always have the mutual_state flag | o OAUTHBEARER: [[TBD: IANA -- probably in the 1.3.6.1.5.5 tree]] | |||
| o OAUTH10A: [[TBD: IANA -- probably in the 1.3.6.1.5.5 tree]] | ||||
| OAuth mechanims security contexts always have the mutual_state flag | ||||
| (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | |||
| delegation, therefore security contexts may have the deleg_state flag | delegation, therefore security contexts may have the deleg_state flag | |||
| (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | |||
| The mutual authentication property of this mechanism relies on | The mutual authentication property of this mechanism relies on | |||
| successfully comparing the TLS server identity with the negotiated | successfully comparing the TLS server identity with the negotiated | |||
| target name. Since the TLS channel is managed by the application | target name. Since the TLS channel is managed by the application | |||
| outside of the GSS-API mechanism, the mechanism itself is unable to | outside of the GSS-API mechanism, the mechanism itself is unable to | |||
| confirm the name while the application is able to perform this | confirm the name while the application is able to perform this | |||
| comparison for the mechanism. For this reason, applications MUST | comparison for the mechanism. For this reason, applications MUST | |||
| match the TLS server identity with the target name, as discussed in | match the TLS server identity with the target name, as discussed in | |||
| [RFC6125]. | [RFC6125]. | |||
| The OAuth mechanism does not support per-message tokens or | OAuth mechanisms do not support per-message tokens or | |||
| GSS_Pseudo_random. | GSS_Pseudo_random. | |||
| OAuth supports a standard generic name syntax for acceptors, such as | OAuth supports a standard generic name syntax for acceptors, such as | |||
| GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). These | GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). These | |||
| service names MUST be associated with the "entityID" claimed by the | service names MUST be associated with the "entityID" claimed by the | |||
| RP. OAuth supports only a single name type for initiators: | RP. OAuth mechanisms support only a single name type for initiators: | |||
| GSS_C_NT_USER_NAME. GSS_C_NT_USER_NAME is the default name type. | GSS_C_NT_USER_NAME. GSS_C_NT_USER_NAME is the default name type. | |||
| The query, display, and exported name syntaxes for OAuth principal | The query, display, and exported name syntaxes for OAuth principal | |||
| names are all the same. There is no OAuth-specific name syntax; | names are all the same. There is no OAuth-specific name syntax; | |||
| applications SHOULD use generic GSS-API name types, such as | applications SHOULD use generic GSS-API name types, such as | |||
| GSS_C_NT_USER_NAME and GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], | GSS_C_NT_USER_NAME and GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], | |||
| Section 4). The exported name token does, of course, conform to | Section 4). The exported name token does, of course, conform to | |||
| [RFC2743], Section 3.2, but the "NAME" part of the token should be | [RFC2743], Section 3.2, but the "NAME" part of the token should be | |||
| treated as a potential input string to the OAuth name normalization | treated as a potential input string to the OAuth name normalization | |||
| rules. | rules. | |||
| 5. Examples | 5. Examples | |||
| These example illustrate exchanges between an IMAP client and an IMAP | These examples illustrate exchanges between an IMAP and SMTP clients | |||
| server. | and servers. | |||
| Note to implementers: Authorization scheme names are case | Note to implementers: Authorization scheme names are case | |||
| insensitive. One example uses "Bearer" but that could as easily be | insensitive. One example uses "Bearer" but that could as easily be | |||
| "bearer", "BEARER", or "BeArEr". | "bearer", "BEARER", or "BeArEr". | |||
| 5.1. Successful Bearer Token Exchange | 5.1. Successful Bearer Token Exchange | |||
| This example shows a successful OAuth 2.0 bearer token exchange. | This example shows a successful OAuth 2.0 bearer token exchange. | |||
| Note that line breaks are inserted for readability. | Note that line breaks are inserted for readability. | |||
| S: * IMAP4rev1 Server Ready | S: * IMAP4rev1 Server Ready | |||
| C: t0 CAPABILITY | C: t0 CAPABILITY | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER | S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | |||
| J2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzA | J2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1CZWFyZXIgdkY5ZGZ0NHFtV | |||
| WF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk52YjNSbGNrQmhiSFJoZG1semRHRXVZ | GMyTnZiM1JsY2tCaGJIUmhkbWx6ZEdFdVkyOXRDZz09AQE= | |||
| Mjl0Q2c9PQEB | ||||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and long | decoded initial client response (with %x01 represented as ^A and long | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| n,a=user@example.com^Ahost=server.example.com^Auser=user@example.com^A | n,a=user@example.com^Ahost=server.example.com^Aport=143^A | |||
| port=143^Aauth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | |||
| The same credential used in an SMTP exchange is shown below. Note | The same credential used in an SMTP exchange is shown below. Note | |||
| that line breaks are inserted for readability, and that the SMTP | that line breaks are inserted for readability, and that the SMTP | |||
| protocol terminates lines with CR and LF characters (ASCII values | protocol terminates lines with CR and LF characters (ASCII values | |||
| 0x0D and 0x0A), these are not displayed explicitly in the example. | 0x0D and 0x0A), these are not displayed explicitly in the example. | |||
| [connection begins] | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | S: 220 mx.example.com ESMTP 12sm2095603fks.9 | |||
| C: EHLO sender.example.com | C: EHLO sender.example.com | |||
| S: 250-mx.example.com at your service,[172.31.135.47] | S: 250-mx.example.com at your service,[172.31.135.47] | |||
| S: 250-SIZE 35651584 | S: 250-SIZE 35651584 | |||
| S: 250-8BITMIME | S: 250-8BITMIME | |||
| S: 250-AUTH LOGIN PLAIN OAUTHBEARER | S: 250-AUTH LOGIN PLAIN OAUTHBEARER | |||
| S: 250-ENHANCEDSTATUSCODES | S: 250-ENHANCEDSTATUSCODES | |||
| S: 250-PIPELINING | S: 250-PIPELINING | |||
| C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | |||
| J2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzA | J2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1CZWFyZXIgdkY5ZGZ0NHFtV | |||
| WF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk52YjNSbGNrQmhiSFJoZG1semRHRXVZ | GMyTnZiM1JsY2tCaGJIUmhkbWx6ZEdFdVkyOXRDZz09AQE= | |||
| Mjl0Q2c9PQEB | ||||
| S: 235 Authentication successful. | S: 235 Authentication successful. | |||
| [connection continues...] | [connection continues...] | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding | 5.2. OAuth 1.0a Authorization with Channel Binding | |||
| This example shows channel binding in the context of an OAuth 1.0a | This example shows channel binding in the context of an OAuth 1.0a | |||
| signed authorization request. Note that line breaks are inserted for | signed authorization request. Note that line breaks are inserted for | |||
| readability. | readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| skipping to change at page 17, line 7 ¶ | skipping to change at page 18, line 7 ¶ | |||
| GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc | GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc | |||
| GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | |||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and | decoded initial client response (with %x01 represented as ^A and | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| y,a=user@example.com^A | y,a=user@example.com^A | |||
| host=server.example.com^A | host=server.example.com^A | |||
| user=user@example.com^A | ||||
| port=143^A | port=143^A | |||
| auth=OAuth realm="Example", | auth=OAuth realm="Example", | |||
| oauth_consumer_key="9djdj82h48djs9d2", | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | oauth_signature_method="HMAC-SHA1", | |||
| oauth_timestamp="137131201", | oauth_timestamp="137131201", | |||
| oauth_nonce="7d8f3e4a", | oauth_nonce="7d8f3e4a", | |||
| oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | |||
| qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | |||
| skipping to change at page 17, line 37 ¶ | skipping to change at page 18, line 36 ¶ | |||
| 5.3. Failed Exchange | 5.3. Failed Exchange | |||
| This example shows a failed exchange because of the empty | This example shows a failed exchange because of the empty | |||
| Authorization header, which is how a client can query for the needed | Authorization header, which is how a client can query for the needed | |||
| scope. Note that line breaks are inserted for readability. | scope. Note that line breaks are inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server | |||
| Ready | Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD | |||
| 1zZXJ2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvc | 1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BAQ== | |||
| nQ9MTQzAWF1dGg9AQE= | ||||
| S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 | S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 | |||
| C: + AQ== | C: + AQ== | |||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| n,a=user@example.com,^Ahost=server.example.com^Auser=user@example. | n,a=user@example.com,^Ahost=server.example.com^A | |||
| com^Aport=143^Aauth=^A^A | port=143^Aauth=^A^A | |||
| The decoded server error response is: | The decoded server error response is: | |||
| { | { | |||
| "status":"401", | "status":"401", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required empty response. | |||
| 5.4. Failed Channel Binding | 5.4. Failed Channel Binding | |||
| This example shows a channel binding failure in an empty request. | This example shows a channel binding failure in an empty request. | |||
| The channel binding information is empty. Note that line breaks are | The channel binding information is empty. Note that line breaks are | |||
| inserted for readability. | inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| Ready | Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhv | C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9z | |||
| c3Q9c2VydmVyLmV4YW1wbGUuY29tAXVzZXI9dXNlckBleGFtcGxlLmNvbQF | dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB | |||
| wb3J0PTE0MwFhdXRoPQFjYmRhdGE9AQE= | ||||
| S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== | S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== | |||
| C: + AQ== | C: + AQ== | |||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| y,a=user@example.com,^Ahost=server.example.com^A | y,a=user@example.com,^Ahost=server.example.com^A | |||
| user=user@example.com^Aport=143^Aauth=^Acbdata=^A^A | port=143^Aauth=^Acbdata=^A^A | |||
| The decoded server response is: | The decoded server response is: | |||
| { | { | |||
| "status":"412", | "status":"412", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required empty response. | |||
| skipping to change at page 19, line 14 ¶ | skipping to change at page 20, line 14 ¶ | |||
| [connection begins] | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | S: 220 mx.example.com ESMTP 12sm2095603fks.9 | |||
| C: EHLO sender.example.com | C: EHLO sender.example.com | |||
| S: 250-mx.example.com at your service,[172.31.135.47] | S: 250-mx.example.com at your service,[172.31.135.47] | |||
| S: 250-SIZE 35651584 | S: 250-SIZE 35651584 | |||
| S: 250-8BITMIME | S: 250-8BITMIME | |||
| S: 250-AUTH LOGIN PLAIN OAUTHBEARER | S: 250-AUTH LOGIN PLAIN OAUTHBEARER | |||
| S: 250-ENHANCEDSTATUSCODES | S: 250-ENHANCEDSTATUSCODES | |||
| S: 250-PIPELINING | S: 250-PIPELINING | |||
| C: AUTH OAUTHBEARER dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 | C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 | |||
| RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQo= | RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== | |||
| S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | |||
| HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | |||
| C: AQ== | C: AQ== | |||
| S: 535-5.7.1 Username and Password not accepted. Learn more at | S: 535-5.7.1 Username and Password not accepted. Learn more at | |||
| S: 535 5.7.1 http://support.example.com/mail/oauth | S: 535 5.7.1 http://support.example.com/mail/oauth | |||
| [connection continues...] | [connection continues...] | |||
| The server returned an error message in the 334 SASL message, the | The server returned an error message in the 334 SASL message, the | |||
| client responds with the required empty response, and the server | client responds with the required empty response, and the server | |||
| finalizes the negotiation. | finalizes the negotiation. | |||
| skipping to change at page 26, line 9 ¶ | skipping to change at page 27, line 9 ¶ | |||
| Appendix A. Acknowlegements | Appendix A. Acknowlegements | |||
| The authors would like to thank the members of the Kitten working | The authors would like to thank the members of the Kitten working | |||
| group, and in addition and specifically: Simon Josefson, Torsten | group, and in addition and specifically: Simon Josefson, Torsten | |||
| Lodderstadt, Ryan Troll, and Nico Williams. | Lodderstadt, Ryan Troll, and Nico Williams. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -06 | ||||
| o Removed the user field. Fixed the examples again. | ||||
| o Added canonicalization language. | ||||
| o | ||||
| -05 | -05 | |||
| o Fixed the GS2 header language again. | o Fixed the GS2 header language again. | |||
| o Separated out different OAuth schemes into different SASL | o Separated out different OAuth schemes into different SASL | |||
| mechanisms. Took out the scheme in the error return. Tuned up | mechanisms. Took out the scheme in the error return. Tuned up | |||
| the IANA registrations. | the IANA registrations. | |||
| o Added the user field back into the SASL message. | o Added the user field back into the SASL message. | |||
| End of changes. 35 change blocks. | ||||
| 78 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||